My name is Marc Rotenberg. I am director of the Electronic
Privacy Information in Washington, DC. I very much appreciate the
opportunity to appear before the Senate today as you consider
legislation to promote the availability of strong encryption. It
is also a privilege to sit at this hearing table with some of the
leading cryptographers in the world.

I can say without hesitation that EPIC and the many members
of the net community that we work with support your efforts to
reform encryption policy. It is clear to virtually everyone in
the online world that strong encryption is the cornerstone of
personal privacy and on-line security in the emerging information
economy.

There are three points that I will make this morning in
support of the Pro-Code Legislation

First, users of the Internet require good tools for privacy.
Without good privacy and security, users of advanced networked
services and consumers in the on-line world will literally take
their business elsewhere. They will look to services and
suppliers in other countries that will provide the necessary
technology for good privacy.

Second, our current policies for encryption are destined for
the history books. Current legislation, policies and codes no
longer reflect market reality or modern conditions. Even if one
supported these policies, which I do not, they cannot be made to
work. The recent report of the National Research Council makes
clear that there is a crisis in our current policy. These
problems will escalate if Congress fails to act.

Third, EPIC's litigation under the Freedom of Information Act
has shown that the White House will pursue every opportunity to
establish key escrow encryption that will enable the interception
of private communications. It will use export regulation,
industry coercion, taxpayer dollars, international organizations,
and even threatened prosecution to attempt to impose a standard
for encryption that is widely opposed by the user community and
the public at large. It is not enough to simply oppose legal
schemes that could mandate key escrow. The Congress must make
clear to the Administration, as the National Research Council has
already suggested, that there should be no promotion of key escrow
encryption in the private sector unless and until the government
can demonstrate that this particular encryption technique can be
made to work.

EPIC AND ENCRYPTION

The promotion of good encryption has always been a central
mission of the Electronic Privacy Information Center. EPIC began
in early 1994 with a campaign on the Internet to oppose the White
House's Clipper encryption scheme. That plan was a dangerous and
inappropriate attempt to control a technology vital to the
development of the Internet. We wrote in a letter to the
President that the Clipper proposal should not be adopted.

We believe that if this proposal goes forward, even on a
voluntary basis, privacy protection will be diminished,
innovation will be slowed, accountability will be
lessened, and the openness necessary to ensure to ensure
the successful development of the nation's
communications infrastructure will be threatened.

The letter was signed by a number of famous cryptographers,
including several of the people at this hearing table. Soon the
letter became a petition. And then researchers, students, and
company CEOs put their names to the statement. In all, more than
47,000 people on the Internet said "I oppose Clipper" and
supported our effort to send a clear message to the White House
that it was not for the government to prevent citizens from using
good tools for privacy protection.

The Clipper campaign was probably the most successful
petition drive ever organized on the Internet. Shortly after it
was delivered to the White House, the Administration indicated
that it was rethinking its proposals for the escrowed encryption
standard. It gave up its original plan for the government to hold
keys. But predictions that Clipper was dead proved to be
premature. Within months the White House was promoting a new
plan based on so-called voluntary escrow systems.

While I am proud of our work to bring to light the problems
with the Clipper plan, I have no illusion that this battle is
over. The government has continued to press for various forms of
encryption designed to promote interception of private
communications. Most recently, Attorney General Janet Reno
suggested at a speech to the Commonwealth Club in San Francisco
that key escrow encryption would be necessary to protect public
safety. And, so once again, the White House is pushing forward
with an effort to limit encryption techniques that are necessary
to protect privacy and security, and will certainly reduce the
level of criminal activity in the on-line world.

I should say a word also about our efforts to obtain
information about the development of encryption policies. We have
pursued Freedom of Information Act litigation to obtain documents
from the federal agencies concerning encryption. Thanks to the
efforts of EPIC's Legal Counsel David Sobel, who is today chairing
a session on the Internet and Civil Liberties at the Internet
Society's conference in Montreal, we have obtained previously
classified documents from the White House, the National Security
Council, the Department of Commerce, that raise serious questions
about the true intent of the Administration's encryption policy.

I will come back to some of the key discoveries in just a
moment.

EPIC has also organized important meetings on encryption
matters. EPIC's Policy Analyst Dave Banisar, who is today
attending the meeting of the OECD Expert Panel in Paris, has
organized the leading cryptography policy roundtable in Washington
for the last six years. It was at our roundtable this year that
Senator Burns described efforts to pass the Pro-Code legislation
and Jim Bidzos, CEO of RSA Data Security, first displayed chips
manufactured in Japan with Triple DES and 1,024 bit RSA.

I am also pleased to note that both David Sobel in Montreal
and Dave Banisar in Paris have made arrangements for this hearing
to be received over the Internet by the cybercast transmission at
those two locations. That we are able to do this underscores the
fact that we truly operating in a global environment.

Through these various activities, it has been EPIC's goal to
promote a more informed, more public debate about encryption
policy. We recognize that there are many strongly held views on
this issue, and that there is great complexity. We believe that
the best policies will result from an open, informed discussion.
For this reason we particularly appreciate these hearings on the
Pro-Code legislation.

I. THE USER COMMUNITY AND ENCRYPTION

A few years ago, only a small number of people knew about
encryption. Today, virtually everyone who is familiar with the
Internet recognizes that encryption is critical to the growth of
the on-line economy, and the protection of privacy and security.
Encryption is not just good for business and the economy. It is
necessary for the growth of the Internet and the safety of
consumers in the twenty-first century. Encryption is a tool of
privacy.

It is critical that users be able to choose from a wide range
of good tools that are designed for privacy and security. Efforts
to limit the availability of good encryption are naturally viewed
with suspicion. The Administration's Clipper Chip initiative was
the least popular technical proposal to come out of the federal
government in my life-time. One White House aide called Clipper
the "Bosnia of communications policy." Perhaps that was an
understatement. At every opportunity that the user community had
an opportunity to express its opinion on this proposal, it said
no. Users did not simply object to the proposal that the
government will hold the keys, they objected to a technology that
was clearly intended to promote government surveillance of private
communication.

Let me be very clear about this point. To the best of my
knowledge, there is virtually no support for key escrow in the
user community. There is virtually no support for key escrow
among our trading partners in North America, Europe or East Asia.
There is virtually no support for key escrow among any person
using the Internet today who values privacy. And if the Clipper
campaign proves anything it is that users of the Internet value
privacy.

II. THE WORLD IS CHANGING

Our current export control policies were developed in an era
when encryption was largely the province of spies and soldiers.
The policies of our government, which emphasized secrecy and
control, were appropriate in their day. But the world has changed.
Today encryption is stitched into commercial software like rivets
hold together cars and planes. It protects not only the
confidentiality of communications, but also authentication and
verification. Encryption can even provide techniques for anonymous
transactions that will promote commerce and protect privacy.

The electronic communications infrastructure is clearly no
longer the exclusive domain of governments. Today's network
carries not only diplomatic communiques and military plans as in
an earlier day -- it is the conduit for global electronic
commerce, private correspondence and the most sensitive bits of
personal information, including medical and financial records.
The average citizen now has a vested interest in the absolute
security and privacy of the electronic data that traverses the
network. As this committee recognizes, it is encryption
technology that provides that security and privacy.

We also know that government proposals are invariably flawed.
This is not surprising. The government is prepared to sacrifice
the workings of the marketpace and consumer demand for its own
best guess about what will work. Even if we agreed with the
government's goal, there is little reason to believe that the
Administration's encryption strategy would succeed. Security
technology is no longer the monopoly of the U.S. government -- if,
in fact, it ever was. The technological know-how is now global,
and if the U.S. computer industry is not permitted to deliver
these crucial products to the marketplace, other providers will
quickly fill the void.

In such a world, the best policies are those that seek to
adapt to changing circumstance. It would be foolhardy for our
government not to anticipate that strong, unbreakable encryption
will be widely available on the Internet. And it would be equally
wrong to prevent American citizens and American businesses from
making use of the best tools available to protect their sensitive
information from potential criminal threats.

We are therefore in a period of transition when law must be
updated to reflect new realities. Reforming the export control
regime so that it reflects the need for good encryption in
commercial products and to protect personal privacy is a sensible
first step. Further delay is likely only to increase the risks to
users and businesses.

III. THE ADMINISTRATION'S COMMITMENT TO CLIPPER

We therefore believe it is essential to oppose any form of
key escrow that is promoted by the government rather than demanded
by the users. The White House will use every opportunity to force
the adoption of breakable encryption -- government spending,
intimidation of developers and outdated export controls. It will
even threaten prosecution of a former peace activist for arms
dealing if it believes it can slow the use of good tools of
privacy.

It is a critical to understand that the White House continues
to believe that encryption should only be available if it is can
easily be broken. There have been several proposals all based on
this same premise. Each has a new name. The White House will
promote "Voluntary Key Escrow." They will endorse "Commercial Key
Escrow." They will support "Escrow Encryption Standard. " And
they will back a new plan for "Key Management Infrastructure."
Call it what you will, it is still Clipper.

As I have mentioned, EPIC has made extensive use of the
Freedom of Information Act to seek the disclosure of previously
classified documents concerning encryption policy. FBI documents
we obtained last year show that key federal agencies concluded
more than three years ago that the Clipper Chip key-escrow
initiative will only succeed if alternative security techniques
are outlawed and key-escrow is made mandatory.

The conclusions contained in the documents appear to conflict
with frequent Administration claims that use of Clipper technology
will remain "voluntary." Critics of the government's initiative,
including EPIC, have long maintained that the Clipper key-escrow
technique would only serve its stated purpose if made mandatory.
According to the FBI documents, that view is shared by the Bureau,
the National Security Agency (NSA) and the Department of Justice
(DOJ).

In a briefing document titled "Encryption: The Threat,
Applications and Potential Solutions," and sent to the National
Security Council in February 1993, the FBI, NSA and DOJ concluded
that:

Technical solutions, such as they are, will only work if
they are incorporated into all encryption products. To
ensure that this occurs, legislation mandating the use
of Government-approved encryption products or adherence
to Government encryption criteria is required.

Likewise, an undated FBI report titled "Impact of Emerging
Telecommunications Technologies on Law Enforcement" observes that
"[a]lthough the export of encryption products by the United States
is controlled, domestic use is not regulated." The report
concludes that "a national policy embodied in legislation is
needed." Such a policy, according to the FBI, must ensure "real-
time decryption by law enforcement" and "prohibit[] cryptography
that cannot meet the Government standard."

The FBI conclusions stand in stark contrast to public
assurances that the government does not intend to prohibit the use
of non-escrowed encryption. Testifying before a Senate Judiciary
Subcommittee on May 3, 1994, Assistant Attorney General Jo Ann
Harris asserted that:

As the Administration has made clear on a number of
occasions, the key-escrow encryption initiative is a
voluntary one; we have absolutely no intention of
mandating private use of a particular kind of
cryptography, nor of criminalizing the private use of
certain kinds of cryptography.

These documents demonstrate that the architects of the
Clipper program -- the NSA and the FBI -- have always recognized
that key-escrow must eventually be mandated. As privacy advocates
and industry representatives have always said, Clipper does
nothing for law enforcement unless the alternatives are outlawed.
For that reason, Mr. Chairman, we are particularly pleased with
that provision of the PRO-Code legislation that would prohibit any
mandatory key-escrow procedure.

There is no question that law enforcement has legitimate
concerns. There will be lawful criminal investigations frustrated
because some data was encrypted. But, as the distinguished
National Research Council panel found, the widespread
availability of strong encryption will also prevent crime.

It is also important to understand that in our constitutional
form of government, obtaining private information on citizens is
supposed to be difficult. Nowhere in our Constitution is it
stated that the federal government has the right to tap our phones
or decode our private conversations. But it is clear that the
framers intended to prevent the type of open-ended search
authority that underlies the current push for wiretap-friendly
networks and a key-escrow infrastructure.

PRO-CODE LEGISLATION

The Pro-Code legislation moves us all in the right direction.
It creates opportunities for business. It promotes good tools for
Internet users. It puts in place the techniques necessary for
good privacy and security that will protect public safety and
reduce the risk of criminal attack. The legislation is a
necessary step to ensure the development of a Global Information
Infrastructure that promotes on-line commerce and preserves
individual privacy.

EPIC welcomes the opportunity to work with the Committee and
the sponsors of the legislation to ensure that this bill
accomplishes the goal of ensuring good privacy and security in the
on-line world. I can also assure you that the Internet community
is very grateful for your efforts.

I thank you again for the opportunity to testify today. I
would be pleased to answer your questions.

Marc Rotenberg is director of the Electronic Privacy Information
Center in Washington, DC (www.epic.org) and a faculty member at
the Georgetown University Law Center, where he has taught the Law
of Information Privacy since 1991. Mr. Rotenberg is a member of
the OECD Expert Panel on Cryptography Policy and the Federal
Networking Council Advisory Committee. He is secretary of Privacy
International (www.privacy.org/pi) and coordinator of the Internet
Privacy Coalition (www.privacy.org/ipc/), which launched the
Golden Key Campaign to raise public awareness of the need for
strong privacy and security on the Internet.

The Electronic Privacy Information Center is a public
interest research center in Washington, DC. It was established in
1994 to focus public attention on emerging privacy issues relating
to the National Information Infrastructure, such as the Clipper
Chip, the Digital Telephony proposal, medical record privacy, and
the sale of consumer data. EPIC is sponsored by the Fund for
Constitutional Government, a non-profit organization established
in 1974 to protect civil liberties and constitutional rights.
EPIC publishes the EPIC Alert, pursues Freedom of Information Act
litigation, and conducts policy research. For more information,
email info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544
9240 (tel), +1 202 547 5482 (fax).

Privacy International (http://www.privacy.org/pi/) was formed
in 1990 as a watchdog on surveillance by governments and
corporations. With members in more than 40 countries, it has
created an international movement that has helped to counter
abuses of privacy by way of information technology. Privacy
International has conducted campaigns in Europe, Asia and North
America to raise awareness about the dangers of ID card systems,
military surveillance, data matching, police information systems,
and credit reporting. It is based in London, UK, and is
administered by the Electronic Privacy Information Center (EPIC)
in Washington, D.C. Privacy International publishes a quarterly
newsletter (the International Privacy Bulletin) and organizes
conferences each year on privacy and technology.

The mission of the Internet Privacy Coalition
(http://www.privacy.org/ipc) is to promote privacy and security on
the Internet through widespread public availability of strong
encryption and the relaxation of export controls on cryptography.
The Coalition includes more than forty organizations, businesses,
and associations. The founding members of the Coalition include
Ross Anderson, Steven Bellovin, Matt Blaze, George Davida,
Whitfield Diffie, Taher Elgamal, Carl Ellison, John Gilmore, Phil
Karn, Bruce Koball, William Hugh Murray, Ron Rivest, Allan
Schiffman, Jeff Schiller, Bruce Schneier, Michael Wiener, and
Philip Zimmermann.